S1156: Manjusaka
Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, Manjusaka consists of multiple components, only one of which (a command and control module) is freely available.[1]
Analyst context for executives and security teams
Manjusaka matters because it represents a cross-platform intrusion framework for Windows and Linux implants with command-and-control capabilities and post-compromise functions. For leaders, the practical issue is not the tool name alone, but whether the organization can recognize framework-style activity: web-based C2, host discovery, command shell execution, screen capture, credential access from password stores and browsers, and possible exfiltration over the same C2 channel.
Executive priority
Prioritize validation of endpoint, network, and credential telemetry across Windows and Linux estates. This object is relevant to incident readiness because the mapped behaviors span discovery, execution, collection, credential access, command-and-control, and exfiltration. Security leaders should ask whether SOC playbooks can connect these signals into an intrusion narrative, whether browser and password-store credential exposure is being reduced, and whether audit evidence exists for monitoring outbound web traffic and sensitive data movement.
Technical view
MITRE does not provide a specific detection section for Manjusaka, so defenders should work from the mapped techniques and supported platforms. Validate coverage for Windows command shell execution, system and network discovery, file and directory enumeration, screen capture activity, access to password stores and browser credential locations, encoded C2 content, web-protocol C2, and exfiltration over an existing C2 channel. Detection engineering should focus on behavior chains rather than single indicators, especially discovery followed by credential access and outbound web communications.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows and Linux
- Windows command shell execution records where available
- File system access telemetry for browser credential stores, password stores, and sensitive directories
- Network connection logs, proxy logs, DNS logs, and firewall egress records for outbound web-protocol traffic
- HTTP/S metadata and encoded payload indicators where legally and technically available
Detection direction
- Build detections around correlated behavior: discovery commands or enumeration followed by credential-store access and unusual outbound web traffic.
- Tune web C2 analytics carefully because HTTP/S is common business traffic; prioritize rare destinations, unusual user-agent or session patterns, encoded content indicators, and endpoints with preceding suspicious host activity.
- Validate that Linux visibility is not weaker than Windows visibility, since the object supports both platforms.
- Review false positives from administrators, software inventory tools, helpdesk utilities, and legitimate remote management tools that may perform discovery or command execution.
- Use ATT&CK relationships to structure hunts for T1016, T1041, T1059.003, T1071.001, T1082, T1083, T1113, T1132.001, T1555, and T1555.003 rather than relying on a Manjusaka-specific signature.
Mitigation priorities
- Reduce credential exposure by limiting browser-saved passwords where appropriate and strengthening controls around password stores and secrets handling.
- Restrict and monitor command shell use, especially where remote execution or administrative contexts are involved.
- Harden egress controls so outbound web traffic is logged, filtered, and reviewable rather than implicitly trusted.
- Ensure endpoint protection and logging baselines cover both Windows and Linux systems in scope.
- Prepare IR playbooks for framework-style intrusions, including host isolation, credential reset decisions, C2 containment, and data-exfiltration assessment.
Analyst notes and limits
The supplied ATT&CK object describes Manjusaka as a Chinese-language intrusion framework similar to Sliver and Cobalt Strike, with a GoLang ELF controller and Rust implants for Windows and Linux. The most useful defensive value comes from the technique relationships: discovery, command execution, collection, credential access, C2, encoding, and exfiltration. Treat the language description as a software characteristic, not as attribution.
Official detection guidance is not provided in the supplied object. Tactics are not specified directly on the malware object, so tactic references are derived from the related ATT&CK techniques. Local telemetry, environment baselines, and incident evidence are required before drawing conclusions about exposure or compromise.
Manjusaka
Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, Manjusaka consists of multiple components, only one of which (a command and control module) is freely available.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.CitationTalos Manjusaka 2022 |
| Enterprise | T1555 | Credentials from Password Stores | Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types.CitationTalos Manjusaka 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | Manjusaka gathers information about current network connections, local and remote addresses associated with them, and associated processes.CitationTalos Manjusaka 2022 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Manjusaka gathers credentials from Chromium-based browsers.CitationTalos Manjusaka 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Manjusaka data exfiltration takes place over HTTP channels.CitationTalos Manjusaka 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Manjusaka can execute arbitrary commands passed to it from the C2 controller via `cmd.exe /c`.CitationTalos Manjusaka 2022 |
| Enterprise | T1083 | File and Directory Discovery | Manjusaka can gather information about specific files on the victim system.CitationTalos Manjusaka 2022 |
| Enterprise | T1113 | Screen Capture | Manjusaka can take screenshots of the victim desktop.CitationTalos Manjusaka 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Manjusaka communication includes a client-created session cookie with base64-encoded information representing information from the victim system.CitationTalos Manjusaka 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Manjusaka has used HTTP for command and control communication.CitationTalos Manjusaka 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3fe77d38b5a6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Manjusaka 2022
Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
Open source URL -
[2]
mitre-attack S1156Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.